North Korean IT workers—or how not to solve the IT staff shortage
North Korea has been infiltrating organizations using IT workers with fake identities.
A recent Google blog based on Mandiant research has shown that North Korea (strictly, the Democratic People’s Republic of North Korea or DPRK) has been trying to obtain employment for some of its citizens as IT workers across a wide range of industries.
This campaign disguised the true identity of the IT workers, so they would not be rejected as North Korean nationals. This served three possible purposes:
- Generating revenue for the DPRK, despite sanctions.
- Spying on the employers.
- Enabling cyber-intrusions.
According to Mandiant, the DPRK pulled the wool over employers’ eyes using front companies that provided workers with pseudonymous email accounts, social media accounts, payment platform accounts, online job site accounts, and stolen identities.
The organizations behind the curtains are by no means small. The US Department of Justice prosecuted a man that ran approximately 871 proxy identities, provided proxy accounts for three freelance US IT hiring platforms, and provided proxy accounts for three different US-based money service transmitters.
These facilitators provide essential services that include, but are not limited to money laundering, receiving and hosting company laptops at their residences, using stolen identities for employment verification, and accessing international financial systems.
The IT workers themselves were often individuals sent by the North Korean government to live primarily in China and Russia, with smaller numbers in Africa and Southeast Asia. Their mission was to secure lucrative jobs within western companies, especially in the US technology sector, and they regularly worked more than one job.
Due to their technical knowledge, the remote workers were able to occupy important positions with elevated access to code and computers. This allowed them to modify the source code of applications or deploy backdoors in software and computer systems.
The IT workers often claimed to live in one location but requested their laptop be shipped to another location, where it became part of a “laptop farm.” The laptops were often loaded with remote management software, and the workers would then access their company laptop from another location entirely.
Mandiant has identified evidence that these laptops are often connected to an IP-based Keyboard Video Mouse (KVM) device, although a recurring theme across these incidents is the installation of multiple remote management tools on victim corporate laptops immediately following shipment to the farm. These indicate that the individual is connecting to their corporate system remotely via the internet, and may not be geographically located in the city, state, or even country in which they report to reside.
Charles Carmakal, CTO of Mandiant, said in a statement that he has spoken to dozens of Fortune 100 organizations that have accidentally hired North Korean IT workers. Among the victim companies are a major television network, a Silicon Valley technology company, an aerospace and defense company, an American car manufacturer, a luxury retail store, and a US media and entertainment company.
The IT workers often had these identifying features in common:
- They were based in the US but touted education credentials from universities outside of North America, such as Singapore, Japan, or Hong Kong.
- The IT workers claimed to live in one location but requested the laptop to be shipped to another location.
- Their laptops were equipped with multiple remote management tools.
- Connections to remote management tools often used the Astrill VPN, and likely originated from China or North Korea.
- DPRK employees were often reluctant to turn on cameras, and used fake backgrounds during interviews.
Prevention
The best way is to conduct your interviews is in person, but since that’s not always an option, here are some other things you can do:
- Require strict background checks, including the collection of biometric information for comparison against known identities via specialized background checking services.
- Use cameras during interviews to ensure a candidate’s visual appearance matches online profiles, and check that the interviewee matches the provided identification, and ask questions to establish the consistency of a candidate’s responses in line with their purported background.
- Train interviewers and make them aware of the tactics deployed by the IT workers and their facilitators.
- Monitor for the use of profile pictures modified by artificial intelligence (AI).
- Require notarized proof of identity prior to employment.
- Use an EDR on the IT worker’s work device(s).